From: bill.c.roberts@gmail.com
To: selinux@vger.kernel.org, drepper@redhat.com, omosnace@redhat.com,
stephen.smalley.work@gmail.com, plautrba@redhat.com
Cc: William Roberts <william.c.roberts@intel.com>
Subject: [PATCH v2 3/4] Makefile: add linker script to minimize exports
Date: Fri, 28 Feb 2020 08:05:23 -0600 [thread overview]
Message-ID: <20200228140524.2404-4-william.c.roberts@intel.com> (raw)
In-Reply-To: <20200228140524.2404-1-william.c.roberts@intel.com>
From: William Roberts <william.c.roberts@intel.com>
Add a linker script that exports only what was previosly exported by
libselinux.
This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
And diffing them:
diff old.map new.map
Fixes: #179
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
libselinux/src/Makefile | 2 +-
libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
2 files changed, 250 insertions(+), 1 deletion(-)
create mode 100644 libselinux/src/libselinux.map
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c76110fbc650..f74dbeb983dd 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
-Werror -Wno-aggregate-return -Wno-redundant-decls \
$(EXTRA_CFLAGS)
-LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
ifeq ($(OS), Darwin)
override CFLAGS += -I/opt/local/include
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
new file mode 100644
index 000000000000..73f4c072af02
--- /dev/null
+++ b/libselinux/src/libselinux.map
@@ -0,0 +1,249 @@
+LIBSELINUX_1.0 {
+ global:
+ avc_add_callback;
+ avc_audit;
+ avc_av_stats;
+ avc_cache_stats;
+ avc_cleanup;
+ avc_compute_create;
+ avc_compute_member;
+ avc_context_to_sid;
+ avc_context_to_sid_raw;
+ avc_destroy;
+ avc_get_initial_sid;
+ avc_has_perm;
+ avc_has_perm_noaudit;
+ avc_init;
+ avc_netlink_acquire_fd;
+ avc_netlink_check_nb;
+ avc_netlink_close;
+ avc_netlink_loop;
+ avc_netlink_open;
+ avc_netlink_release_fd;
+ avc_open;
+ avc_reset;
+ avc_sid_stats;
+ avc_sid_to_context;
+ avc_sid_to_context_raw;
+ checkPasswdAccess;
+ context_free;
+ context_new;
+ context_range_get;
+ context_range_set;
+ context_role_get;
+ context_role_set;
+ context_str;
+ context_type_get;
+ context_type_set;
+ context_user_get;
+ context_user_set;
+ dir_xattr_list;
+ fgetfilecon;
+ fgetfilecon_raw;
+ fini_selinuxmnt;
+ freecon;
+ freeconary;
+ fsetfilecon;
+ fsetfilecon_raw;
+ getcon;
+ getcon_raw;
+ get_default_context;
+ get_default_context_with_level;
+ get_default_context_with_role;
+ get_default_context_with_rolelevel;
+ get_default_type;
+ getexeccon;
+ getexeccon_raw;
+ getfilecon;
+ getfilecon_raw;
+ getfscreatecon;
+ getfscreatecon_raw;
+ getkeycreatecon;
+ getkeycreatecon_raw;
+ get_ordered_context_list;
+ get_ordered_context_list_with_level;
+ getpeercon;
+ getpeercon_raw;
+ getpidcon;
+ getpidcon_raw;
+ getprevcon;
+ getprevcon_raw;
+ getseuser;
+ getseuserbyname;
+ getsockcreatecon;
+ getsockcreatecon_raw;
+ is_context_customizable;
+ is_selinux_enabled;
+ is_selinux_mls_enabled;
+ lgetfilecon;
+ lgetfilecon_raw;
+ lsetfilecon;
+ lsetfilecon_raw;
+ manual_user_enter_context;
+ map_class;
+ map_decision;
+ map_perm;
+ matchmediacon;
+ matchpathcon;
+ matchpathcon_checkmatches;
+ matchpathcon_filespec_add;
+ matchpathcon_filespec_destroy;
+ matchpathcon_filespec_eval;
+ matchpathcon_fini;
+ matchpathcon_index;
+ matchpathcon_init;
+ matchpathcon_init_prefix;
+ mode_to_security_class;
+ myprintf_compat;
+ print_access_vector;
+ query_user_context;
+ realpath_not_final;
+ rpm_execcon;
+ security_av_perm_to_string;
+ security_av_string;
+ security_canonicalize_context;
+ security_canonicalize_context_raw;
+ security_check_context;
+ security_check_context_raw;
+ security_class_to_string;
+ security_commit_booleans;
+ security_compute_av;
+ security_compute_av_flags;
+ security_compute_av_flags_raw;
+ security_compute_av_raw;
+ security_compute_create;
+ security_compute_create_name;
+ security_compute_create_name_raw;
+ security_compute_create_raw;
+ security_compute_member;
+ security_compute_member_raw;
+ security_compute_relabel;
+ security_compute_relabel_raw;
+ security_compute_user;
+ security_compute_user_raw;
+ security_deny_unknown;
+ security_disable;
+ security_get_boolean_active;
+ security_get_boolean_names;
+ security_get_boolean_pending;
+ security_get_checkreqprot;
+ security_getenforce;
+ security_get_initial_context;
+ security_get_initial_context_raw;
+ security_load_booleans;
+ security_load_policy;
+ security_policyvers;
+ security_reject_unknown;
+ security_set_boolean;
+ security_set_boolean_list;
+ security_setenforce;
+ security_validatetrans;
+ security_validatetrans_raw;
+ selabel_close;
+ selabel_cmp;
+ selabel_digest;
+ selabel_get_digests_all_partial_matches;
+ selabel_hash_all_partial_matches;
+ selabel_lookup;
+ selabel_lookup_best_match;
+ selabel_lookup_best_match_raw;
+ selabel_lookup_raw;
+ selabel_open;
+ selabel_partial_match;
+ selabel_stats;
+ selinux_binary_policy_path;
+ selinux_booleans_path;
+ selinux_booleans_subs_path;
+ selinux_boolean_sub;
+ selinux_check_access;
+ selinux_check_passwd_access;
+ selinux_check_securetty_context;
+ selinux_colors_path;
+ selinux_contexts_path;
+ selinux_current_policy_path;
+ selinux_customizable_types_path;
+ selinux_default_context_path;
+ selinux_default_type_path;
+ selinux_failsafe_context_path;
+ selinux_file_context_cmp;
+ selinux_file_context_homedir_path;
+ selinux_file_context_local_path;
+ selinux_file_context_path;
+ selinux_file_context_subs_dist_path;
+ selinux_file_context_subs_path;
+ selinux_file_context_verify;
+ selinux_flush_class_cache;
+ selinuxfs_exists;
+ selinux_get_callback;
+ selinux_getenforcemode;
+ selinux_getpolicytype;
+ selinux_homedir_context_path;
+ selinux_init_load_policy;
+ selinux_lsetfilecon_default;
+ selinux_lxc_contexts_path;
+ selinux_media_context_path;
+ selinux_mkload_policy;
+ selinux_mnt;
+ selinux_netfilter_context_path;
+ selinux_openrc_contexts_path;
+ selinux_openssh_contexts_path;
+ selinux_path;
+ selinux_policy_root;
+ selinux_raw_context_to_color;
+ selinux_raw_to_trans_context;
+ selinux_removable_context_path;
+ selinux_reset_config;
+ selinux_restorecon;
+ selinux_restorecon_default_handle;
+ selinux_restorecon_set_alt_rootpath;
+ selinux_restorecon_set_exclude_list;
+ selinux_restorecon_set_sehandle;
+ selinux_restorecon_xattr;
+ selinux_securetty_types_path;
+ selinux_sepgsql_context_path;
+ selinux_set_callback;
+ selinux_set_mapping;
+ selinux_set_policy_root;
+ selinux_snapperd_contexts_path;
+ selinux_status_close;
+ selinux_status_deny_unknown;
+ selinux_status_getenforce;
+ selinux_status_open;
+ selinux_status_policyload;
+ selinux_status_updated;
+ selinux_systemd_contexts_path;
+ selinux_translations_path;
+ selinux_trans_to_raw_context;
+ selinux_user_contexts_path;
+ selinux_usersconf_path;
+ selinux_users_path;
+ selinux_virtual_domain_context_path;
+ selinux_virtual_image_context_path;
+ selinux_x_context_path;
+ setcon;
+ setcon_raw;
+ setexeccon;
+ setexeccon_raw;
+ setexecfilecon;
+ setfilecon;
+ setfilecon_raw;
+ setfscreatecon;
+ setfscreatecon_raw;
+ setkeycreatecon;
+ setkeycreatecon_raw;
+ set_matchpathcon_canoncon;
+ set_matchpathcon_flags;
+ set_matchpathcon_invalidcon;
+ set_matchpathcon_printf;
+ set_selinuxmnt;
+ setsockcreatecon;
+ setsockcreatecon_raw;
+ sidget;
+ sidput;
+ string_to_av_perm;
+ string_to_security_class;
+ unmap_class;
+ unmap_perm;
+ local:
+ *;
+};
--
2.17.1
next prev parent reply other threads:[~2020-02-28 14:05 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
2020-02-27 23:01 ` [PATCH 1/3] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-27 23:01 ` [PATCH 2/3] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 13:51 ` Stephen Smalley
2020-02-28 13:59 ` William Roberts
2020-03-01 20:32 ` Nicolas Iooss
2020-03-02 16:41 ` [V4] libselinux: drop dso.h bill.c.roberts
2020-03-02 16:41 ` [PATCH v4 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-03-02 16:41 ` [PATCH v4 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-03-02 16:41 ` [PATCH v4 3/4] Makefile: add linker script to minimize exports bill.c.roberts
2020-03-02 16:41 ` [PATCH v4 4/4] libselinux: drop symbols from map bill.c.roberts
2020-03-03 18:58 ` [V4] libselinux: drop dso.h Stephen Smalley
2020-03-04 12:26 ` Ondrej Mosnacek
2020-03-04 13:48 ` William Roberts
2020-03-04 13:15 ` Petr Lautrbach
2020-03-05 12:42 ` Petr Lautrbach
2020-03-05 16:12 ` William Roberts
2020-03-05 19:09 ` William Roberts
2020-03-11 18:14 ` Stephen Smalley
2020-03-12 14:05 ` William Roberts
2020-02-27 23:01 ` [PATCH 3/3] Makefile: add linker script to minimize exports bill.c.roberts
2020-02-28 13:36 ` Stephen Smalley
2020-02-28 13:38 ` William Roberts
2020-02-28 14:05 ` [V2] libselinux: drop dso.h bill.c.roberts
2020-02-28 14:05 ` [PATCH v2 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-28 14:05 ` [PATCH v2 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 14:05 ` bill.c.roberts [this message]
2020-02-28 14:05 ` [PATCH v2 4/4] libselinux: drop symbols from map bill.c.roberts
2020-02-28 15:39 ` Stephen Smalley
2020-02-28 15:40 ` William Roberts
2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
2020-02-28 15:48 ` [PATCH v3 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-28 15:48 ` [PATCH v3 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 15:48 ` [PATCH v3 3/4] Makefile: add linker script to minimize exports bill.c.roberts
[not found] ` <CAEjxPJ7CuMf5QeW_jjEonRN=kfcpTV8c4UnUMyEjyb2hee1YXg@mail.gmail.com>
[not found] ` <CAFftDdpeP39qvXNTe06EWkc3Kp_TMu5bGOf8WN6Q-k2Cehn_3w@mail.gmail.com>
2020-02-28 19:05 ` Stephen Smalley
2020-03-01 20:04 ` Nicolas Iooss
2020-02-28 15:48 ` [PATCH v3 4/4] libselinux: drop symbols from map bill.c.roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200228140524.2404-4-william.c.roberts@intel.com \
--to=bill.c.roberts@gmail.com \
--cc=drepper@redhat.com \
--cc=omosnace@redhat.com \
--cc=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).